Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.A new feature to fix DRUPAL-PSA-2016-003 security issue.
Notify on site status report page if insecure webforms are found. Webforms should be considered insecure if anonymous users are allowed to submit files using public scheme.
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | warn_admin_users_on-2816405-7.patch | 3.96 KB | vinmassaro |
| |||
| #5 | webform-security_report-2816405-5.patch | 1.65 KB | ilari.stenroth |
| |||
Comments
Comment #2
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedHere's a patch to implement the feature.
Comment #3
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedComment #4
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedComment #5
ilari.stenroth CreditAttribution: ilari.stenroth at Exove commentedNew revision of the patch. Now counts correctly insecure webforms.
Comment #6
vinmassaro CreditAttribution: vinmassaro commented@ilari.stenroth: thanks for this patch - I'm modifying it slightly to add links to the problem webforms. New patch coming shortly.
Comment #7
vinmassaro CreditAttribution: vinmassaro commentedHere is a new patch that combines my additions with the patch from #5. It adds a list of problem webforms with links to each so they can be more easily edited. This is very helpful for a site with a lot of webforms.
Comment #8
DanChadwick CreditAttribution: DanChadwick commentedDifficulties with this approach:
1) There may well be authenticated-but-untrusted users.
2) Webform API functions alter submission creation and edit access, making it difficult or impossible to know if a particular user can upload a file and is also untrusted.
3) Some sites have a huge number of webforms, which will cause this to time-out.